Comments on the ‘HoeflerText font not found’ Malware

Back in May 2017 Google Chrome was the victim of an attack that prompted users to download “missing font” malware. Since then Tod Beardsley, Research Director at Rapid7, has commented on the attack.

“The ‘HoeflerText font not found’ malware lure, which targets Google Chrome users on Windows, continues to make the rounds via compromised WordPress sites. This attack was first documented by researchers at Proofpoint in mid-January, and gets a lot of design elements right where other malware lures fail. The prompt is disguised as a seemingly-legitimate popup sourced from the browser.

So far, the attacks appear to be limited to compromised WordPress sites — a field that is, unfortunately, rich with targets. While most WordPress vulnerabilities are actually found in non-standard WordPress plugins, a rather serious vulnerability was patched in the 4.7.2 release of the WordPress core engine in late January.

Operators of WordPress sites are urged to patch up to at least version 4.7.2 as soon as possible, since the vulnerability discovered by Sucuri can be exploited by attackers to arbitrarily rewrite any post hosted on a WordPress site, including the ability to inject malware lures such as the missing HoeflerText font attack.

Chrome users should be aware that legitimate warnings from the Chrome browser will never appear as overlays to a web page. Specifically, Chrome does not offer any functionality for prompting for a missing font download, and all such prompts are sourced from malware or malvertising campaigns. In the rare cases the browser needs to communicate a security or misconfiguration warning to the user, these warnings will appear as a full, replacement page, such as the familiar “Your connection is not private” warning for misconfigured SSL certificates.”